Title: Implementing Infrastructure for the eUniversity
1Implementing Infrastructure for the eUniversity
- Art Vandenberg
- Director
- 404-463-9601
- Avandenberg_at_gsu.edu
Fred Przystas Project Manager 404-463-9602 Cagfwp_at_
gsu.edu
Information Systems Technology Advanced Campus
Services Georgia State University
University System of Georgia Annual Computing
ConferenceOctober 25-27, 2000
2The eUniversity
- Why the Rush? Why Do We Need It?
3Why the Rush?
- As universities continue to expand their customer
base via the internet, they are reaching beyond
their territory into YOUR territory. - Distance is no longer a barrier as a result of
the internet and Distance Learning. - Playing catch-up is difficult given the rate at
which technology and information is currently
speeding along this virtual internet highway.
4Why do we need the eUniversity?
- Improve the quality of University Services
- Reduction of Costs
- Open New Avenues for Revenue
- More sophisticated ways of doing business
- Enhance collaborative research
- Provide a campus portal for students to obtain
various services
5Major Areas of Focus
- E-academics enhanced technology learning and
distance learning - E-research promotes collaborative research and
scholarly publishing
6Major Areas of Focus
- E-business electronic administrative services,
i.e., travel, purchasing, and supply - E-community become a valued resource for the
surrounding communities we serve by providing
easy access to various online services such as
GIL, G.L.O.B.E, and eCore?
7How do we get there?
- Coordination Project Planning
- Cooperation Inclusion of Stakeholders
- Creativity Funding and Resources
- Consultation Hire an outside group to examine
what you have, and what you will need to
implement the eUniversity
8What Else Is Needed?
Public Key Infrastructure PKI
9SECURITY
SAFE ENVIRONMENT
ENCRYPTED TRANSACTIONS
CERTIFICATE AUTHORITY
UNIVERSAL UNIQUE ID (UUID)
REGISTRATION AUTHORITY
IDENTIFICATION
TRUST
YOU NEED IT TO...
10COMPETE SURVIVE!
11Public Key Infrastructure
- Confidentiality
- Integrity
- Authentication
- Non-repudiation
12Components of PKI
- Security Policy
- Defines Organizations Top-Level Security
- Certificate Practice Statement (CPS)
- Outlines Key Creation/Distribution and
Certificate Issuance - Identifies Levels of Risk
13Components of PKI
- Certificate Authority (CA)
- Sets Expiration Dates for Digital Certificates
- Tracks Certificate Revocation Lists (CRLs)
- Issues Certificates binding identity of user or
system to a public key with a Digital Signature
(DS)
14Components of PKI (Cont.)
- Registration Authority (RA)
- Interface between User and CA
- Authenticates Identity of User following Security
Policies - Quality of Authentication sets level of trust
placed on certificates issued
15Components of PKI (Cont.)
- Certificate Distribution System
- Directory Service
- User Distributed
- Enterprise PKI solution
16Components of PKI (Cont.)
- PKI Enabled Applications
- Web Servers and Browsers
- E-mail
- Electronic Data Interchange (EDI)
- Credit card Transactions over the Internet
- Virtual Private Networks (VPNs)
17PKI Evaluation Considerations
- Flexibility
- Interface with standard directory structures like
Lightweight Directory Access Protocol (LDAP) and
X.500 (DAP) - Allow users to request certificates via e-mail
- Standard interfaces such as PKCS11 to work with
various security tokens (example smart cards and
hardware security models (HSMs)) - Automated RA, if needed
18PKI Evaluation Considerations (Cont.)
- Ease of Use
- Management of PKI should be simple and not
require a technical background to manage - Interface should be graphical and intuitive
- Supports Security Policy
- CA/RA should be able to reflect security policies
of organization in certificate issuance
19PKI Evaluation Considerations (Cont.)
- Scalability
- Support for additional applications as they come
online - Ability to add CAs and RAs as needed to support
organizational growth - Ability to support increased numbers of
certificates issued as the PKI grows
20PKI Evaluation Considerations (Cont.)
- Interoperability
- PKI should be built to the most common commercial
standards - PKI should be completely open to allow for future
integration as IT infrastructure grows - PKI needs to be interoperable globally
21PKI Evaluation Considerations (Cont.)
- Security of CA and RA
- CA/RA is the center of PKI and should be held in
a tamper resistant security module - Backup copies are essential protection for
disaster recovery - CA/RA system should have a secure audit trail
that includes a time/date stamp and signature for
each transaction - CA should be held to the highest commercial
standard security
22WHAT ARE WE WAITNG FOR?
- LETS LET MIKEY TRY IT FIRST
23Meet Mikey!
24Taking Strategic Actions
- Advanced Campus Services CIO/Associate Provost
Information Systems Technology creates a
strategic unit - Discovery of Resources educating
- Organizational Structure enabling interaction
- Performance Objectives accomplishing goals
25Advanced Campus ServicesA Response to Ongoing
Issues
- CSO to LDAP directory conversion in the queue
for several years - Authentication/authorization needs
- Student email a campus pressure point
- Audit findings call for account management
- Data feeds, interfaces between application
domains becoming increasingly complex
26Advanced Campus ServicesEstablishing a Strategic
IT Unit
- ACS unit created February 2000
- Charged to plan and develop actions for
- University-wide directory services
- Public-private key infrastructure
- Universal email solutions
- Interfaces to one-card, library, other systems
- broad, coordinating role in the establishment of
standards, methods and processes
27Discovery of Resources Educating
- Aim is to find best practices
- Research resources
- Higher education groups
- Standards groups
- Industry analysts
- Application vendors
- Trade journals, News, Georgia Code...
- Internet/Libraries/People!
28Discovery of Resources (cont.)
- Internet2 Middleware Initiative
lthttp//www.internet2.edu/middleware/gt - Higher Education Middleware services
- Identifiers, directories, authentication,
authorization - Overviews, conceptual framework, best practices,
LDAP recipe - Extensive links to other sites
- The Authoritative Hub for Higher Education
29Discovery of Resources (cont.)
- CREN lthttp//www.cren.net/gt
- mission is to support higher education and
research organizations with strategic IT
knowledge services - TechTalk series live audiocasts
- Interviews with technology experts real life
scenarios - CREN Certificate Authority initiative
30Discovery of Resources (cont.)
- Federal PKI Technical Working Group
lthttp//gits-sec.treas.gov/fpkitechwork.htmgt - Providing leadership in public key and directory
technology over last decade - Establishing models for interoperation
- Addressing policy issues, cf. ACES
- GTRI participated in Federal Bridge CA
demonstration project
31Discovery of Resources (cont.)
- Net_at_Edu PKI for Networked Higher Education
Working Group lthttp//www.educause.edu/netatedu/gr
oups/pki/gt - Sponsoring a series of summit meetings
- eduPerson LDAP objectclass (with Internet2)
attributes of a higher education person - USG Central Office personnel involved
32Discovery of Resources (cont.)
- The Burton Group lthttp//www.tbg.com/gt
- Network infrastructure strategy consultants
- GSU subscribes to Network Strategy Service
- Conducted seminars on directories (9/1999) and
PKI (3/2000) for USG - TBG recommendations endorsed by ACIT
- FYI Jamie Lewis, CEO, is GSU grad
33Discovery of Resources (cont.)
- The GartnerGroup lthttp//gartner4.gartnerweb.com/p
ublic/static/home/home.htmlgt - Industry consultant providing research
highlights and analysis of industry trends - USG subscription
- Decision Drivers service includes PKI model
- 2,800 factors related to PKI vendor evaluation
- Tool facilitates collaborative definition of
criteria
34Discovery of Resources (cont.)
- Internet Engineering Task Force (IETF)
lthttp//www.ietf.org/gt - LDAP Specifications (RFCs 2251-2256)
- Understanding and Deploying LDAP Directory
Services, by Timothy Howes - Author of LDAP while at U. Michigan
- Developed Netscapes LDAP directory
- Text introduces directory architecture, addresses
life-cycle deployment, and provides case studies
35Discovery of Resources (cont.)
- Directory Interoperability Forum
lthttp//www.directoryforum.org/gt - Forum established 1999, then merged in July 2000
with... - The Open Groups Directory Program
lthttp//www.opengroup.org/directory/gt - promotes open and interoperable directories
based on open standards - Members Cisco, HP, IBM, Microsoft, Netscape,
Novell... - Universal Schema Reference lthttp//home.netscape.c
om/eng/server/directory/schema/gt - 150 objectclasses, 600 attributes...
36Discovery of Resources (cont.)
- SCT SUMMIT Conference for Banner Users
lthttp//www.sctcorp.com/gt - SCT architectural strategy includes LDAP
- CUMREC Annual Conference lthttp//www.cumrec.com/gt
- Directory, PKI sessions, networking (people)
- Senate Bill 465 (Georgia Technology Authority)
lthttp//www.state.ga.us/cgi-bin/pub/leg/legdoc?bil
lname1999/SB465docpartfullgt - Legislation that includes commitment to digital
signatures technology solutions
37Discovery of Resources (cont.)
- Chronicle of Higher Education lthttp//chronicle.co
m/index.htmgt - Information Week lthttp//www.informationweek.com/n
ewsflash/default.htmlgt - ACM TechNews lthttp//www.acm.org/technews/current/
homepage.htmlgt - eUniversity news items
- distance learning, online libraries, sharing
research facilities, mobile users, ecommerce,
virtual classrooms...
38Organizational Structure Enabling Interaction
- ACS - 2 staff providing broad coordinating role
to advance the development of a university-wide
consensus regarding directions and strategies. - A goal is to foster interactions and encourage
communication - Use IETF model - working groups convened to
address specific task
39Organizational Structure Steering Group
- CIO his IT Directors representing
- Networks, educational technology, library
systems, administrative applications, strategic
planning - Discussion and consensus process sets
- Overall scope
- Task priorities
- Resource allocation
- Liaison with University System others
40Organizational Structure Data Stewards for GSU
Person Working Group
- Functional data stewards representing
- Human resources, student systems, affiliates,
library, alumni, and information technology - Reviewing eduPerson objectclass
- Mapping data sources to LDAP attributes
- Reconciliation synchronization processes
- Recommending policy
- cf. GSU Enterprise Directory Policy
41Organizational Structure LDAP Design Technical
Working Group
- Senior technical staff Unix and Novell
- Schema design technical issues
- Implementation of the directory
- Replication synchronization
- Interfaces between directories
- Interoperability of clients
- Migration of existing directory apps sendmail
alias forwarding, dialin authorization, PPP
access...
42Organizational Structure Interactions with
other groups
- April 2000 GSU, OIIT, GaTech re GartnerGroup
Decision Drivers for PKI - June 2000 common directory proposal becomes
SURA response to I2 PKILabs RFP (not awarded but
contacts good) - August 2000 common directory proposal
restated for Vice Chancellor OIIT - October 2000 GSU, UGA, GIT, OIIT meet re LDAP
directory implementation
43Organizational Structure Mutual Interest
Common Goals
- Internet2 Middleware Initiatives Goal The
goal is to assist in the creation of
interoperable middleware infrastructures among
the membership of Internet2 and related
communities. - 1. Make it happen...
- 2. Be an honest broker
- 3. Integrate across applications...
- 4. Interoperate between campuses
- Lets work together. says Mikey.
44Performance Objectives Accomplishing Goals
- March 2000 ACS establishes broad objectives
based on - The Burton Group recommendations
- Internet2 Middleware Initiative
- Existing GSU application needs
- Expectation that as work proceeds, refinement of
objectives will occur based on communication with
and input of others
45Performance Objectives (cont.)
- White Paper 6/30/2000 summarize issues for
successful infrastructure deployment - Take strategic enterprise approach
- Use collaboration and communication
- Leverage existing initiatives in community of
interest - Define PKI evaluation criteria PKI 7/15/2000
- Ambitious, but GartnerGroup Decision Drivers a
tool - Refined to First establish directory
infrastructure
46Performance Objectives (cont.)
- Define GSU common directory 8/15/2000
- Of course this is ambitious, but you need a start
- Data Stewards WG met biweekly from June 2000
- 35 core attributes mapped to data sources
- Reconciliation, prime authority issues being
worked - Identify collaborative opportunities 8/15/2000
- Common Directory...SURA...USG Common Directory
- Internet2 BOF? SURA BOF? U. Alabama Birmingham?
- If you dont ask, you cant get it.
47Performance Objectives (cont.)
- Draft policy and procedure for managing GSU
Person 9/15/2000 - Purpose and guiding principles of stewardship
- Version 1.0 policy and procedure for managing
GSU Person 12/15/2000 - Finalize via campus review
- Documentation of identifiers, timing
synchronization for directory, information for
administrative account management
48Performance Objectives (cont.)
- Identify directory infrastructure and PKI funding
requirements sources 12/15/2000 - Timing for FY 2001 year end and FY 2002
- Coordination with USG directory strategies
- Establish account management for administrative
applications 3/15/2001 - Each new person has accounts set up in timely
manner - I2-MI Identifiers, Authentication, and
Directories Best Practices for Higher
Education lthttp//middleware.internet2.edu/best-p
ractices.htmlgt
49Conclusion
- Advanced Campus Services is key to GSU strategic
focus for enterprise directories - Full time focus on broad coordinating role
essential to establishing collaboration and
consensus development of solutions - Goal provide a strategic, competitive advantage
to the University System community.